WP-Safety

Livemesh Addons by Elementor Security & Risk Analysis

wordpress.org/plugins/addons-for-elementor

Elementor Addons that saves time with multiple ready-to-use drag and drop styles for 30+ essential widgets built for Elementor page builder.

40K active installs v9.0 PHP 5.8+ WP 5.8+ Updated Nov 14, 2025
elementorelementor-addonselementor-extensionselementor-widgetspage-builder
30
D · High Risk
CVEs total22
Unpatched3
Last CVEApr 15, 2026
Plugin page Download
Safety Verdict

Is Livemesh Addons by Elementor Safe to Use in 2026?

High Risk

Score 30/100

Livemesh Addons by Elementor carries significant security risk with 22 known CVEs, 3 still unpatched. Consider switching to a maintained alternative.

22 known CVEs 3 unpatched Last CVE: Apr 15, 2026Updated 6mo ago
Risk Assessment

The 'addons-for-elementor' plugin version 9.0 presents a mixed security posture. While it exhibits some positive security practices, such as 100% output escaping and no file operations or external HTTP requests, significant concerns remain. The plugin has a history of numerous vulnerabilities, totaling 18 known CVEs, with 2 high and 16 medium severity issues. This extensive history, especially the prevalence of path traversal, cross-site scripting, and missing authorization, suggests recurring or systemic security weaknesses within the codebase that have been difficult to fully remediate.

The static analysis reveals a somewhat limited but concerning attack surface. Out of 2 total entry points, 1 AJAX handler lacks authentication checks, which is a critical oversight. While the plugin has nonce and capability checks, their limited application on entry points is a weakness. The SQL query practices are inconsistent, with only 33% using prepared statements, potentially leaving the plugin vulnerable to SQL injection if the remaining queries handle user-supplied data improperly. The absence of taint analysis results might indicate a limited scope of the analysis or that the tool couldn't identify complex data flows, which should not be mistaken for an absence of risk. The bundled Freemius library at v1.0 is also a potential concern if it's an outdated version with known vulnerabilities.

In conclusion, despite some good security practices, the plugin's extensive vulnerability history, combined with a critical unauthenticated AJAX handler and inconsistent SQL preparation, creates a significant risk. The recurring types of vulnerabilities suggest a need for more rigorous code auditing and a more robust approach to security across all entry points. The lack of currently unpatched CVEs is a positive, but the overall risk profile remains elevated due to the historical patterns and identified code weaknesses.

Key Concerns

  • Unauthenticated AJAX handler detected
  • Only 33% of SQL queries use prepared statements
  • 18 known CVEs with multiple high/medium severity
  • Bundled Freemius v1.0 may be outdated
Vulnerabilities
22 published

Livemesh Addons by Elementor Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2021
2021
1 CVE in 2022
2022
16 CVEs in 2024
2024
3 CVEs in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

High
3
Medium
19

22 total CVEs

CVE-2026-1572medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings

Apr 15, 2026Unpatched
CVE-2026-1620high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter

Apr 15, 2026Unpatched
CVE-2026-39636medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Livemesh Addons for Elementor <= 9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 13, 2026Unpatched
CVE-2024-47303medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Livemesh Addons for Elementor <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 25, 2024 Patched in 8.5.1 (568d)
CVE-2024-8858medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via piechart_settings Parameter

Sep 24, 2024 Patched in 8.5.1 (10d)
CVE-2024-2385high · 8.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Elementor Addons by Livemesh <= 8.4 - Authenticated (Contributor+) Limited Local File Inclusion via Widgets

Jul 3, 2024 Patched in 8.4.1 (16d)
CVE-2024-3638medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Marquee Text Widget, Testimonials Widget, and Testimonial Slider Widgets

Jul 3, 2024 Patched in 8.4.2 (16d)
CVE-2024-2926medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Various Widgets

Jul 3, 2024 Patched in 8.4 (16d)
CVE-2024-3639medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Grid

Jul 3, 2024 Patched in 8.4 (17d)
CVE-2024-2539medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via widget _id attribute

Apr 9, 2024 Patched in 8.3.7 (1d)
CVE-2024-2655medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Display Name

Apr 9, 2024 Patched in 8.3.7 (1d)
CVE-2024-1466medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Multislider Widget

Mar 13, 2024 Patched in 8.3.6 (28d)
CVE-2024-1464medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Slider Widget

Mar 13, 2024 Patched in 8.3.6 (28d)
CVE-2024-1465medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Carousel Widget

Mar 13, 2024 Patched in 8.3.6 (28d)
CVE-2024-1461medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Members Widget

Mar 13, 2024 Patched in 8.3.6 (28d)
CVE-2024-1458medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text Widget

Mar 13, 2024 Patched in 8.3.6 (28d)
CVE-2024-25598medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Livemesh Addons for Elementor <= 8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via animated_text_class

Feb 12, 2024 Patched in 8.3.1 (3d)
CVE-2024-1235medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 7, 2024 Patched in 8.3.3 (14d)
CVE-2024-0448medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Elementor Addons by Livemesh <= 8.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 25, 2024 Patched in 8.3.2 (187d)
CVE-2022-3862medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Livemesh Addons for Elementor <= 7.2.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 21, 2022 Patched in 7.2.4 (428d)
CVE-2021-24260medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Livemesh Addons for Elementor <= 6.7.1- Contributor+ Stored Cross-Site Scripting

Apr 13, 2021 Patched in 6.8 (1015d)
WF-3fda31fa-efc9-44b9-99ba-9e3e23aa2ee0-addons-for-elementorhigh · 8.8Missing Authorization

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 2.6 (1793d)
Version History

Livemesh Addons by Elementor Release Timeline

v9.0Current3 CVEs
CVE-2026-1620 CVE-2026-1572 CVE-2026-39636
v8.83 CVEs
CVE-2026-1620 CVE-2026-1572 CVE-2026-39636
v8.73 CVEs
CVE-2026-1620 CVE-2026-1572 CVE-2026-39636
v8.63 CVEs
CVE-2026-1620 CVE-2026-1572 CVE-2026-39636
v8.5.13 CVEs
CVE-2026-1620 CVE-2026-1572 CVE-2026-39636
v8.55 CVEs
CVE-2024-47303 CVE-2026-1620 CVE-2026-1572 +2 more
v8.4.25 CVEs
CVE-2024-47303 CVE-2026-1620 CVE-2026-1572 +2 more
v8.4.16 CVEs
CVE-2024-47303 CVE-2026-1620 CVE-2026-1572 +3 more
v8.47 CVEs
CVE-2024-47303 CVE-2024-2385 CVE-2026-1620 +4 more
v8.3.79 CVEs
CVE-2024-47303 CVE-2024-2385 CVE-2026-1620 +6 more
v8.3.611 CVEs
CVE-2024-47303 CVE-2024-2385 CVE-2026-1620 +8 more
v8.3.516 CVEs
CVE-2024-47303 CVE-2024-2385 CVE-2026-1620 +13 more
v8.3.316 CVEs
CVE-2024-47303 CVE-2024-2385 CVE-2026-1620 +13 more
v8.3.217 CVEs
CVE-2024-47303 CVE-2024-2385 CVE-2026-1620 +14 more
v8.3.118 CVEs
CVE-2024-47303 CVE-2024-0448 CVE-2024-2385 +15 more
v8.319 CVEs
CVE-2024-47303 CVE-2024-0448 CVE-2024-2385 +16 more
v8.2.219 CVEs
CVE-2024-47303 CVE-2024-0448 CVE-2024-2385 +16 more
v8.2.119 CVEs
CVE-2024-47303 CVE-2024-0448 CVE-2024-2385 +16 more
v8.219 CVEs
CVE-2024-47303 CVE-2024-0448 CVE-2024-2385 +16 more
v8.1.119 CVEs
CVE-2024-47303 CVE-2024-0448 CVE-2024-2385 +16 more
Code Analysis
Analyzed Mar 16, 2026

Livemesh Addons by Elementor Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
1 prepared
Unescaped Output
438
567 escaped
Nonce Checks
2
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

33% prepared3 total queries

Output Escaping

56% escaped1005 total outputs
Attack Surface
1 unprotected

Livemesh Addons by Elementor Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_lae_admin_ajaxadmin\admin-ajax.php:28

Shortcodes 1

[lae_pricing_item] includes\widgets\pricing-table.php:28
WordPress Hooks 28
actionwp_headaddons-for-elementor.php:99
actionadmin_initadmin\admin-ajax.php:25
actionadmin_enqueue_scriptsadmin\admin-ajax.php:30
actionadmin_menuadmin\admin-init.php:40
actionadmin_initadmin\admin-init.php:42
actionadmin_enqueue_scriptsadmin\admin-init.php:45
actioncurrent_screenadmin\admin-init.php:47
actionload-plugins.phpadmin\admin-init.php:56
actionadmin_noticesadmin\admin-init.php:57
actionadmin_post_lae_dismiss_noticeadmin\admin-init.php:58
actionadmin_noticesadmin\admin-init.php:67
actionadmin_noticesadmin\admin-init.php:68
filterwpml_elementor_widgets_to_translatei18n\wpml-compatibility-init.php:37
actionelementor_pro/initincludes\theme-builder\init.php:45
actionelementor/theme/register_locationsincludes\theme-builder\init.php:55
actionelementor/documents/registerincludes\theme-builder\init.php:57
actionelementor/widgets/registerincludes\theme-builder\init.php:59
actionplugins_loadedplugin.php:127
actioninitplugin.php:128
actionwpml_st_loadedplugin.php:147
filtersgo_lazy_load_exclude_classesplugin.php:149
actionelementor/widgets/registerplugin.php:150
actionelementor/editor/after_enqueue_stylesplugin.php:151
actionelementor/frontend/after_register_scriptsplugin.php:152
actionelementor/frontend/after_register_stylesplugin.php:153
actionelementor/frontend/after_enqueue_stylesplugin.php:154
actionelementor/initplugin.php:155
actionelementor/controls/registerplugin.php:156
Maintenance & Trust

Livemesh Addons by Elementor Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 14, 2025
PHP min version5.8
Downloads4.1M

Community Trust

Rating96/100
Number of ratings154
Active installs40K
Alternatives

Livemesh Addons by Elementor Alternatives

HT Mega Addons for Elementor – Elementor Widgets & Template Builder

HT Mega Addons for Elementor – Elementor Widgets & Template Builder

ht-mega-for-elementor

B
83

Elementor addon offering 135+ widgets — Mega Menu, Ready Templates, Page Builder, Slider, Gallery, Post Grid, AI Writer & more.

70K 33 CVEs
LA-Studio Element Kit for Elementor

LA-Studio Element Kit for Elementor

lastudio-element-kit

B
83

The advanced addons for Elementor

10K 18 CVEs
Move Addons for Elementor

Move Addons for Elementor

move-addons

A
97

Move Addons is a WordPress plugin for Elementor page builder, is a powerful tool that helps you to make almost every possible customization to your we &hellip;

3K 8 CVEs
WPBITS Addons For Elementor Page Builder

WPBITS Addons For Elementor Page Builder

wpbits-addons-for-elementor

B
72

Addons for Elementor Page Builder.

2K 1 unpatched
Easy Elementor Addons – Addons Pack for Elementor Page Builder

Easy Elementor Addons – Addons Pack for Elementor Page Builder

easy-elementor-addons

A
94

Level up with Easy Elementor Addons – adds powerful widgets and sleek design tools to your favorite Elementor page builder.

1K 7 CVEs
Developer Profile

Livemesh Addons by Elementor Developer Profile

livemesh

8 plugins · 80K total installs

64
trust score
Avg Security Score
79/100
Avg Patch Time
243 days
View full developer profile
Detection Fingerprints

How We Detect Livemesh Addons by Elementor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/addons-for-elementor/assets/css/livemesh-el-addons.css/wp-content/plugins/addons-for-elementor/assets/js/livemesh-el-addons.js/wp-content/plugins/addons-for-elementor/includes/widgets/premium/assets/css/premium-addons.css/wp-content/plugins/addons-for-elementor/includes/widgets/premium/assets/js/premium-addons.js
Script Paths
/wp-content/plugins/addons-for-elementor/freemius/start.php
Version Parameters
addons-for-elementor/assets/css/livemesh-el-addons.css?ver=addons-for-elementor/assets/js/livemesh-el-addons.js?ver=addons-for-elementor/includes/widgets/premium/assets/css/premium-addons.css?ver=addons-for-elementor/includes/widgets/premium/assets/js/premium-addons.js?ver=

HTML / DOM Fingerprints

CSS Classes
lae-info-box-iconlivemesh-el-addons
Data Attributes
data-lae-nonce
JS Globals
window.lae_fs
FAQ

Frequently Asked Questions about Livemesh Addons by Elementor